Merge pull request #202 from konstruktoid/113_1

konstruktoid · web-flow · commit d21e8ee0bbe7 · 2017-01-24T09:47:37.000+01:00
1.13 Section 1
diff --git a/docker-bench-security.sh b/docker-bench-security.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
 # ------------------------------------------------------------------------------
-# Docker Bench for Security v1.2.0
+# Docker Bench for Security v1.3.0
 #
 # Docker, Inc. (c) 2015-
 #
 # Checks for dozens of common best-practices around deploying Docker containers in production.
-# Inspired by the CIS Docker 1.12 Benchmark.
+# Inspired by the CIS Docker 1.13 Benchmark.
 # ------------------------------------------------------------------------------
 
 # Load dependencies
@@ -57,12 +57,12 @@ if [ -z "$logger" ]; then
 fi
 
 yell "# ------------------------------------------------------------------------------
-# Docker Bench for Security v1.2.0
+# Docker Bench for Security v1.3.0
 #
 # Docker, Inc. (c) 2015-
 #
 # Checks for dozens of common best-practices around deploying Docker containers in production.
-# Inspired by the CIS Docker 1.12 Benchmark.
+# Inspired by the CIS Docker 1.13 Benchmark.
 # ------------------------------------------------------------------------------"
 
 # Warn if not root
diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh
@@ -13,230 +13,205 @@ else
 fi
 
 # 1.2
-check_1_2="1.2  - Use an updated Linux Kernel"
-kernel_version=$(uname -r | cut -d "-" -f 1)
-do_version_check 3.10 "$kernel_version"
-if [ $? -eq 11 ]; then
-  warn "$check_1_2"
-else
-  pass "$check_1_2"
-fi
+check_1_2="1.2  - Harden the container host"
+info "$check_1_2"
 
 # 1.3
-check_1_3="1.3  - Harden the container host"
-info "$check_1_3"
-
-# 1.4
-check_1_4="1.4  - Remove all non-essential services from the host - Network"
-# Check for listening network services.
-listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN)
-if [ "$listening_services" -eq 0 ]; then
-  info "1.4  - Failed to get listening services for check: $check_1_4"
-else
-  if [ "$listening_services" -gt 5 ]; then
-    info "$check_1_4"
-    info "     * Host listening on: $listening_services ports"
-else
-    pass "$check_1_4"
-  fi
-fi
-
-# 1.5
-check_1_5="1.5  - Keep Docker up to date"
+check_1_3="1.3  - Keep Docker up to date"
 docker_version=$(docker version | grep -i -A1 '^server' | grep -i 'version:' \
   | awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
 docker_current_version="1.13.0"
 docker_current_date="2017-01-18"
 do_version_check "$docker_current_version" "$docker_version"
 if [ $? -eq 11 ]; then
-  info "$check_1_5"
+  info "$check_1_3"
   info "     * Using $docker_version, when $docker_current_version is current as of $docker_current_date"
-  info "     * Your operating system vendor may provide support and security maintenance for docker"
+  info "     * Your operating system vendor may provide support and security maintenance for Docker"
 else
-  pass "$check_1_5"
+  pass "$check_1_3"
   info "     * Using $docker_version which is current as of $docker_current_date"
-  info "     * Check with your operating system vendor for support and security maintenance for docker"
+  info "     * Check with your operating system vendor for support and security maintenance for Docker"
 fi
 
-# 1.6
-check_1_6="1.6  - Only allow trusted users to control Docker daemon"
+# 1.4
+check_1_4="1.4  - Only allow trusted users to control Docker daemon"
 docker_users=$(getent group docker)
-info "$check_1_6"
+info "$check_1_4"
 for u in $docker_users; do
   info "     * $u"
 done
 
-# 1.7
-check_1_7="1.7  - Audit docker daemon - /usr/bin/docker"
+# 1.5
+check_1_5="1.5  - Audit docker daemon - /usr/bin/docker"
 file="/usr/bin/docker"
 command -v auditctl >/dev/null 2>&1
 if [ $? -eq 0 ]; then
   auditctl -l | grep "$file" >/dev/null 2>&1
   if [ $? -eq 0 ]; then
-    pass "$check_1_7"
+    pass "$check_1_5"
   else
-    warn "$check_1_7"
+    warn "$check_1_5"
   fi
 else
-  warn "1.7  - Failed to inspect: auditctl command not found."
+  warn "1.5  - Failed to inspect: auditctl command not found."
 fi
 
-# 1.8
-check_1_8="1.8  - Audit Docker files and directories - /var/lib/docker"
+# 1.6
+check_1_6="1.6  - Audit Docker files and directories - /var/lib/docker"
 directory="/var/lib/docker"
 if [ -d "$directory" ]; then
   command -v auditctl >/dev/null 2>&1
   if [ $? -eq 0 ]; then
     auditctl -l | grep $directory >/dev/null 2>&1
     if [ $? -eq 0 ]; then
-      pass "$check_1_8"
+      pass "$check_1_6"
     else
-      warn "$check_1_8"
+      warn "$check_1_6"
     fi
   else
-    warn "1.8  - Failed to inspect: auditctl command not found."
+    warn "1.6  - Failed to inspect: auditctl command not found."
   fi
 else
-  info "$check_1_8"
+  info "$check_1_6"
   info "     * Directory not found"
 fi
 
-# 1.9
-check_1_9="1.9  - Audit Docker files and directories - /etc/docker"
+# 1.7
+check_1_7="1.7  - Audit Docker files and directories - /etc/docker"
 directory="/etc/docker"
 if [ -d "$directory" ]; then
   command -v auditctl >/dev/null 2>&1
   if [ $? -eq 0 ]; then
     auditctl -l | grep $directory >/dev/null 2>&1
     if [ $? -eq 0 ]; then
-      pass "$check_1_9"
+      pass "$check_1_7"
     else
-      warn "$check_1_9"
+      warn "$check_1_7"
     fi
   else
-    warn "1.9  - Failed to inspect: auditctl command not found."
+    warn "1.7  - Failed to inspect: auditctl command not found."
   fi
 else
-  info "$check_1_9"
+  info "$check_1_7"
   info "     * Directory not found"
 fi
 
-# 1.10
-check_1_10="1.10 - Audit Docker files and directories - docker.service"
+# 1.8
+check_1_8="1.8  - Audit Docker files and directories - docker.service"
 file="$(get_systemd_service_file docker.service)"
 if [ -f "$file" ]; then
   command -v auditctl >/dev/null 2>&1
   if [ $? -eq 0 ]; then
     auditctl -l | grep "$file" >/dev/null 2>&1
     if [ $? -eq 0 ]; then
-      pass "$check_1_10"
+      pass "$check_1_8"
     else
-      warn "$check_1_10"
+      warn "$check_1_8"
     fi
   else
-    warn "1.10 - Failed to inspect: auditctl command not found."
+    warn "1.8  - Failed to inspect: auditctl command not found."
   fi
 else
-  info "$check_1_10"
+  info "$check_1_8"
   info "     * File not found"
 fi
 
-# 1.11
-check_1_11="1.11 - Audit Docker files and directories - docker.socket"
+# 1.9
+check_1_9="1.9  - Audit Docker files and directories - docker.socket"
 file="$(get_systemd_service_file docker.socket)"
 if [ -e "$file" ]; then
   command -v auditctl >/dev/null 2>&1
   if [ $? -eq 0 ]; then
     auditctl -l | grep "$file" >/dev/null 2>&1
     if [ $? -eq 0 ]; then
-      pass "$check_1_11"
+      pass "$check_1_9"
     else
-      warn "$check_1_11"
+      warn "$check_1_9"
     fi
   else
-    warn "1.11 - Failed to inspect: auditctl command not found."
+    warn "1.9  - Failed to inspect: auditctl command not found."
   fi
 else
-  info "$check_1_11"
+  info "$check_1_9"
   info "     * File not found"
 fi
 
-# 1.12
-check_1_12="1.12 - Audit Docker files and directories - /etc/default/docker"
+# 1.10
+check_1_10="1.10 - Audit Docker files and directories - /etc/default/docker"
 file="/etc/default/docker"
 if [ -f "$file" ]; then
   command -v auditctl >/dev/null 2>&1
   if [ $? -eq 0 ]; then
     auditctl -l | grep $file >/dev/null 2>&1
     if [ $? -eq 0 ]; then
-      pass "$check_1_12"
+      pass "$check_1_10"
     else
-      warn "$check_1_12"
+      warn "$check_1_10"
     fi
   else
-    warn "1.12 - Failed to inspect: auditctl command not found."
+    warn "1.10 - Failed to inspect: auditctl command not found."
   fi
 else
-  info "$check_1_12"
+  info "$check_1_10"
   info "     * File not found"
 fi
 
-# 1.13
-check_1_13="1.13 - Audit Docker files and directories - /etc/docker/daemon.json"
+# 1.11
+check_1_11="1.11 - Audit Docker files and directories - /etc/docker/daemon.json"
 file="/etc/docker/daemon.json"
 if [ -f "$file" ]; then
   command -v auditctl >/dev/null 2>&1
   if [ $? -eq 0 ]; then
     auditctl -l | grep $file >/dev/null 2>&1
     if [ $? -eq 0 ]; then
-      pass "$check_1_13"
+      pass "$check_1_11"
     else
-      warn "$check_1_13"
+      warn "$check_1_11"
     fi
   else
-    warn "1.13 - Failed to inspect: auditctl command not found."
+    warn "1.11 - Failed to inspect: auditctl command not found."
   fi
 else
-  info "$check_1_13"
+  info "$check_1_11"
   info "     * File not found"
 fi
 
-# 1.14
-check_1_14="1.14 - Audit Docker files and directories - /usr/bin/docker-containerd"
+# 1.12
+check_1_12="1.12 - Audit Docker files and directories - /usr/bin/docker-containerd"
 file="/usr/bin/docker-containerd"
 if [ -f "$file" ]; then
   command -v auditctl >/dev/null 2>&1
   if [ $? -eq 0 ]; then
     auditctl -l | grep $file >/dev/null 2>&1
     if [ $? -eq 0 ]; then
-      pass "$check_1_14"
+      pass "$check_1_12"
     else
-      warn "$check_1_14"
+      warn "$check_1_12"
     fi
   else
-    warn "1.14 - Failed to inspect: auditctl command not found."
+    warn "1.12 - Failed to inspect: auditctl command not found."
   fi
 else
-  info "$check_1_14"
+  info "$check_1_12"
   info "     * File not found"
 fi
 
-# 1.15
-check_1_15="1.15 - Audit Docker files and directories - /usr/bin/docker-runc"
+# 1.13
+check_1_13="1.13 - Audit Docker files and directories - /usr/bin/docker-runc"
 file="/usr/bin/docker-runc"
 if [ -f "$file" ]; then
   command -v auditctl >/dev/null 2>&1
   if [ $? -eq 0 ]; then
     auditctl -l | grep $file >/dev/null 2>&1
     if [ $? -eq 0 ]; then
-      pass "$check_1_15"
+      pass "$check_1_13"
     else
-      warn "$check_1_15"
+      warn "$check_1_13"
     fi
   else
-    warn "1.15 - Failed to inspect: auditctl command not found."
+    warn "1.13 - Failed to inspect: auditctl command not found."
   fi
 else
-  info "$check_1_15"
+  info "$check_1_13"
   info "     * File not found"
 fi
